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ABSTRACT 



Protocols and architecture for secure virtual private net- 
works. Intraenterprise data communications are supported in 
a secure manner over the Internet or other public network 
space with the implementation of secure virtual private 
networks. Members of a virtual private network group 
exchange data that may be compressed, encrypted and 
authenticated, if the exchange is between members of the 
group. 

16 Claims, 7 Drawing Sheets 
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APPARATUS FOR IMPLEMENTING 
VIRTUAL PRIVATE NETWORKS 

RELATED INFORMATION 

The present invention is related to the one described in 
Copending U.S. patent application entitled "Architecture for 
Virtual Private Networks" Sen No. 08/874,090, assigned to 
the assignee of the present invention and filed concunenlly 
herewith. 

BACKGROUND OF THE INVENTION 

1. Field of the Invention 

The present invention relates to the field of data commu- 
nications. More particularly, the present invention relates to 
techniques for implementing secure virtual private networks 
over public or otherwise insecure data communications 
infrastructures. 

2. Background 

In recent years organizations have come to rely heavily on 
the ability to transmit electronic data between members of 
the organization. Such data typically includes electronic 
mail and file sharing or file transfer. In a centralized, single 
site organization, these transfers of electronic data arc most 
commonly facilitated by a local area network (LAN) 
installed and operated by the particular enterprise. 

Preventing unauthorized access to data traversing an 
enterprise's LAN is relatively straightforward. This applies 
to both unauthorized accesses by members of the enterprise 
and, more importantly, to third parties on the outside. As 
long as intelligent network management is maintained, 
unauthorized accesses to data traversing an enterprise's 
internal LAN are relatively easily avoided. It is when the 
enterprise spans multiple sites that security threats from the 
outside become a major concern. 

For distributed enterprises that desire the conveniences of 
the above-described electronic data transfers, there are sev- 
eral options that exist today, but each with associated 
disadvantages. The first option is to interconnect the offices 
or various sites with dedicated, or private communications 
connections often referred to as leased lines. This is the 
traditional method organizations use to implement a wide 
area network (WAN). The disadvantages of implementing 
an enterprise owned and controlled WAN are obvious: they 
are expensive, cumbersome and frequently underutilized if 
they are established to handle the peak capacity require- 
ments of the enterprise. The obvious advantage to this 
approach is that the lines are dedicated for use by the 
enterprise and are therefore secure, or reasonably secure 
from eavesdropping or tampering by intermediate third 
parties. 

An alternative to the use of dedicated communications 
lines in a wide area network is for an enterprise to handle 
intersite data distributions over the emerging public network 
space. Over recent years, the Internet has transitioned from 
being primarily a tool for scientists and academics to a 
mechanism for global communications with broad ranging 
business implications. The Inlerael provides electronic com- 
munications paths between millions of computers by inter- 
connecting the various networks upon which those comput- 
ers reside. It has become commonplace, even routine, for 
enterprises, even those in nontechnical fields, to provide 
Internet access to at least some portion of the computers 
within the enterprise. For many businesses this facilitates 
communications with customers, potential business partners 
as well as the distributed members of the organization. 
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Distributed enterprises have found that the Internet is a 
convenient tool to provide electronic communications 
between members of the enterprise. For example, two 
remote sites within the enterprise may each connect to the 

5 Internet through a local Internet Service Provider 0SP). This 
enables the various members of the enterprise to communi- 
cate with other sites on the Internet including those within 
their own organization. The limiting disadvantage of using 
the Internet for intra -enterprise communications is that the 

10 Internet is a public network space. The route by which data 
communication travel from point to point can vary on a per 
packet basis, and is essentially indeterminate. Further, the 
data protocols for transmitting information over the various 
networks of the Internet are widely known, and leave 

15 electronic communications susceptible to interception and 
eavesdropping with packets being replicated at most inter- 
mediate hops. An even greater concern arises when it is 
realized that communications can be modified in transit or 
even initiated by impostors. With these disconcerting risks, 

20 most enterprises are unwilling to subject their proprietary 
and confidential internal communications to the exposure of 
the public network space. For many organizations it is 
common today to not only have Internet access provided at 
each site, but also to maintain the existing dedicated com- 

25 munications paths for internal enterprise communications, 
with all of the attendant disadvantages described above. 

While various encryption and other protection mecha- 
nisms have been developed for data communications, none 
completely and adequately addresses the concerns raised for 

30 allowing an enterprise to tmly rely on the public network 
space for secure intra-enterprise data communications. It 
would be desirable, and is therefore an object of the present 
invention to provide such mechanisms which would allow 
the distributed enterprise to rely solely on the public network 

35 space for intra-enterprise communications without concern 
for security risks that presently exist. 

SUMMARY OF THE INVENTION 
From the foregoing it can be seen that it would be 

40 desirable and advantageous to develop protocols and archi- 
tecture to allow a single organization or enterprise to rely on 
the public network space for secure intraorganizational 
electronic data communications. The present invention is 
thus directed toward the protocols and architecture for 

45 implementing secure virtual private networks over the Inter- 
net or other public network apparatuss. The architecture of 
the present invention introduces a site protector or virtual 
private network (VPN) unit which moderates data commu- 
nications between members of a defined VPN group. In 

50 accordance with one embodiment of the present invention, 
the site protector resides on the WAN side of the site's router 
or routing apparatus which is used to connect the enterprise 
site to the Internet. In alterative embodiments, the site 
protector will reside on the LAN side of the router. The 

55 essential point for all embodiments is that the site protector 
be in the path or all relevant data trafi&c. 

To ensure secure data communications between members 
of the same VPN group, the site protector or VPN Unit 
implements a combination of techniques for data packet 

60 handling when packets arc to be sent between members of 
the group. The packet handling processes include various 
combinations of compression, encryption and 
authentication, the rules for each of which may vary for 
members of different groups. For each group defined as a 

65 virtual private network, the various parameters defining the 
compression, encryption and authentication are maintained 
in lookup tables in the associated VPN Units. The lookup 
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tables maintain information not only for fixed address mem- nicalions over the Internet or other public network space, 

hers of the group but support is also provided for remote Although the present invention is described predominantly 

clients. This ability allows remote users to dial into a local in terms of utilizing the Internet as a communications 

Internet Service Provider and still maintain membership in medium, the concepts and methods are broad enough to 

a virtual private network group for secure communications 5 accomplish the implementation of secure virtual private 

over the Internet with other members of the group. In the networks over other public or insecure communications 

case of a remote client, the site protector may, in one media. Throughout this detailed description, numerous spe- 

cmbodiment, be simulated by software running on the cific details are set forth such as particular encryption or key 

remote client. management protocols, in order to provide a thorough 

In other aspects of the present invention, the VPN Units understanding of the present invention. To one skilled in the 

or site protectors may be dynamically configured to add or art, however, it will be understood that the present invention 

subtract members from the virtual private network group or may be practiced without such specific details. In other 

recognize their movement, or change other parameters instances, well-known control structures and apparatus com- 

affecting the group. Various other packet handling aspects of ponents have not been shown in detail in order not to 

the invention include addressing the problem of some data obscure the present invention. 

packets growing too large by the inclusion of enciyp to instances, components implemented by the 

authentication informaUon Another packet handlmg aspect ^^^^^ .^^^^^^^ ^^^^^^^ architectural, func 

provides a mechanism for Internet communications which f. 1 1 , » , r 1 . l c j • 

hides information identifying the source and destination of t^onal level. Many of the elements may be configured using 

the data packet. In this aspect of the present invention, the well-known structures, parUcularly those designated as 

VPN Units are treated as the source and destination for the 20 relating to various compression or encryption techniques 

Internet communication data packets with the VPN Units Additionally, for logic to be included withm the apparatus of 

encapsulating the source and destination addresses of the the present mvention, functionaUty and flow diagrams are 

cndstations. described in such a manner that those of ordinary skill in the 

There is also disclosed a hardware architecture and imple- art will be able to implement the particular methods without 

mentation for a VPN Unit. This cmbodimeot is one designed 25 ^^iclue experimentation. It should also be understood that the 

to reside on the WAN side of a given site's router. In the techniques of the present invention may be implemented 

illustrated embodiment, a combination of computer hard- using a variety of technologies. For example, the virtual 

ware and software are provided for carrying out the pro- private network unit or site protector to be described further 

cesses of the VPN apparatus for compression, encryption herein may be implemented in software running on a com- 

and authentication under the direction of a microprocessor. 3Q puter apparatus, or implemented in hardware utilizing either 

BRIEF DESCRIPTION OF THE DRAWINGS * combination of microprocessors or other specially 

designed application specific integrated circuits, program- 

The objects, features and advantages of the present invcn- ^^^^^ ^^^^^ devices, or various combinations thereof. It will 

tion will be apparent from the following detailed understood by those skiUed in the art that the present 

description, in which: invention is not limited to any one particular implementation 

FIG. 1 illustrates a prior art configuration for an excm- technique and those of ordinary skill in the art, once the 

plary enterprise's intraenterprise communication architec- functionality to be carried out by such components is 

ture. described, will be able to implement the invention with 

FIG. 2 illustrates an enterprise communication scenario in various technologies without undue experimentation, 

accordance with the present invention utilizing the Internet Referring now to FIG. 1 there is shown a traditional 

or other public network space as the vehicle for conveying scenario for intra-enterprise data communications for a 

messages between members of a virtual private network. distributed organization. In this illustration of an exemplary 

FIG. 3 illustrates a flow diagram for the handling of a organization configuration, the enterprise consists of a head- 
packet being transmitted from one member of a virtual quarters location 105 with additional sites or branches 110 
private network group to another member over the Internet. 45 and 112, respectively. In modern organizations, such as the 

FIG. 4 illustrates the handling of a data packet received exemplary one of FIG. 1, the headquarters' site 105 as well 

over the Internet by one member of a virtual private network as the branch sites 110 and 112 may each comprise numer- 

group from another member. ous personnel, many of whom are provided with computers 

FIG. 5 illustrates graphically the life cycle of a data packet or work stations with network access. The internal network 

being sent from one member of a virtual private network 50 configurations at the headquarters for branches may take 

group to another over the Internet. many forms including one or several local area networks 

FIG. 6 illustrates an alternate life cycle of a data packet (LANs). For intersite conimunications between headquar- 

being sent from one member of a virtual private network ters and the branches, dedicated or leased communications 

group to another over the Internet where the source and lioes 115 and 120 may be provided. In addition, an optional 

destination addresses of the group members are also con- 55 dedicated communications path 125 may be provided 

sealed. between the branches 110 and 112. As an alternative to the 

HG. 7 illustrates an architectural block diagram for an optional dedicated communications line 125 between the 

implementation of a virtual private network unit in accor- branches, data packets between branch 110 and branch 112 

dance with one embodiment of the present invention. may be routed through the headquarters' network equip- 

FIG. 8 illustrates a more detailed block diagram for one ^° 

implementation of a virtual private network unit in accor- I" addition to the dedicated communications lines 

dance with one embodiment of the present invention. between the headquarters and the vanous branches, it is 

common today to provide computer users within an orga- 

DETAILED DESCRIPTION OF THE nization access to the Internet for electronic mail to external 

INVENTION g5 parties as weU as for doing various types of research over the 

An apparatus and apparatus are disclosed for implement- Internet using such tools as the World Wide Web, etc. As 

ing secure virtual private networks for enterprise commu- shown in FIG. 1, the usual scenario where the headquarters' 
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site 105 and the branches 110 and 112 are each separately 
provided with direct access to Internet Service Providers 
130, 133 and 136, respectively. This facilities the users at the 
various sites with their access to the Internet for the above 
purposes. In an alternate configuration, it may be that only s 
the headquarters site 105 is provided with access to an 
Internet service provider 130 and that users of the computers 
of the branch sites 110 and 112 will connect to the Internet 
through headquarters via their dedicated communications 
paths 115 and 120. The downside to this alternate, configu- 
ration is that it greatly increases the bandwidth utilization on 
the dedicated lines, perhaps to the point of saturation. An 
advantage is that only one gateway to the Internet need be 
provided for the organization which simplifies enforcing 
security constraints on connections to the outside world. 

In the exemplary organization 100, it is also shown that in 
some circumstances it may be desirable to allow customers 
or other business partners to dial in directly to the computer 
network of the organization. In FIG. 1 it is illustrated that the 
customer 140 may in fact carry out such communications 20 
over a communications path 145 which may be a dedicated 
line provided between the customer and the organization for 
the customer's convenience. The path 145 may also be a 
dial-up line which the customer might use only sporadically. 
Consistent with the emerging use of the Internet and its ^5 
popularity, the customer 140 is shown having its own 
Internet connection through ISP 148. 

Finally, there is shown in FIG. 1 that it is frequently 
desirable for other members of the enterprise who may be on 
the road or working from home or other remote locations to 30 
exchange data with other members of the enterprise. There 
is thus shown remote clients 150 and 155 communicating 
with the headquarters over long distance telephone lines 157 
and 158. This example assumes that the remote clients are in 
a truly remote location from the headquarters. The remote 35 
clients 150 and 155 are also respectively shown having local 
access to the Internet through local ISPs 160 and 165. 

The above description of an enterprises data communi- 
cations configuration according to FIG. 1 illustrates the 
disadvantages described in the previous section. These dis- 40 
advantages are eliminated by implementation of the present 
invention as illustrated generally with reference to FIG. 2. In 
the enterprise network communication configuration 200 
illustrated in FIG. 2, the headquarters 105, first branch 110 
and second branch 112 of the organization are illustrated in 45 
a more detailed logical way then presented in RG. 1. Thus, 
the headquarters 105 is illustrated with three endstations 
201, 202 and 203, respectively coupled to communicate data 
packets over local area network (LAN) 205. Likewise, the 
branch site 110 is shown having a plurality of endstations 50 
211, 212 and 213 respectively coupled to communicate data 
locally over LAN 215. Finally, the second branch site 112 is 
shown with an illustrative set of computer stations 221, 222 
and 223 connected to communicate over LAN 225. The 
customer site 140 is also illustrated in FIG. 2 as comprising S5 
of plurality of computers illustrated by 331 and 332 coupled 
to communicate over the customer's LAN 235. The local 
area networks utilized for data communications within the 
headquarters, customer and branch sites may adhere to a 
wide variety of network protocols, the most common of 60 
which are Ethernet and Tbken Ring. 

As can be seen in FIG. 2, the dedicated communications 
fines between the headquarters site 105 and the branch sites 
110 and 112 as well as between the headquarters site 105 and 
the customers site 140 have been eliminated. Instead, in 65 
accordance with the present invention data communications 
between members of the organization are intended to be 
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carried out over the Internet or other public network space. 
For purposes of the present invention, it will be assumed that 
it is the widely emerging Internet that will be the medium for 
data packet transfers between members of the organization. 

Each of the LANs for the particular sites illustrated in 
FIG. 2 ultimately interconnect to the Internet 250 through an 
associated routing or gateway device which are identified as 
routers 240, 242, 244 and 246, respectively. It is to be 
understood that data packets conveyed between a various 
sites illustrated in 200 would traverse, in many cases, a 
plurality of additional routing devices on their way between 
the source and destination sites for the packets. The mecha- 
nisms for data packet transfers over the Internet are well 
known and are not described in great detail herein. It is 
understood that data packets are assembled in accordance 
with the Intemet Protocol (IP) and are referred to herein as 
IP packets regardless of the version of the Internet protocol 
presently in effect. In the case of the remote clients 150 and 
155 illustrated in FIG. 2 it is understood that they utilize 
communication software to dial up a local Internet service 
provider which itself provides the gateways necessary for 
communications over the Internet 250. 

As has been described above, prior efforts to utilize the 
Internet for secure data communications have required an 
awareness or implementation of security considerations at 
the endstations. This is disadvantageous when transparency 
to an end user is desirable. The present invention, on the 
other hand is transparent to end users with data communi- 
cations over the Intemet occurring exactly as they appear to 
have before. However, for users identified as members of the 
same virtual private network, data communications are 
handled in a manner that assures the security and integrity of 
the data packets. Illustrated in FIG. 2, between the Intemet 
250 and each of the respective routers 240, 242, 244 and 
246, are Virtual Private Network Units (VPN Units) 250, 
252, 254 and 256. In accordance with the particular illus- 
trated embodiment of the present invention, the VPN Units 
reside between a site's router and the path to the Intemet. It 
should be understood that this placement of VPNU units in 
the overall system architecture represents only one place- 
ment choice. It wUl be clear from the materials that foUow 
that the key point with respect to VPNU placement is that 
they reside in the path of data trafiBc. In many embodiments, 
it may in fact prove desirable to situate the VPNU on the 
LAN side of a site's router. As will be described in more 
detail below, the VPN Units maintain lookup tables for 
identifying members of specific virtual private network 
groups. 

When a data packet is sent between source and destination 
addresses that are both members of the same VPN group, the 
VPN Unit will process the data packet from the sending side 
in such a way as to ensure that it encrypted, authenticated 
and optionally compressed. Likewise, the VPN Unit servic- 
ing the site where the destination address is located will 
detect that a packet is being propagated between members of 
the same VPN group. The receiving VPN Unit will handle 
the process of decrypting and authenticating the packet 
before forwarding it toward the destination endstation. In 
this way, secure data communications between end users is 
effected in a manner that is transparent to the end users. In 
the case of remote clients 150 and 155, the VPN Unit may 
be simulated in software which operates in conjunction with 
the communication software for connecting the remote 
client to the associated local Internet service provider 

The functionality of the VPN Units will be described with 
reference to the following figures beginning with the flow- 
chart of FIG. 3. When a data packet originates from an 
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endstation, such as eadstation 202 of LAN 205 at site 105, 
and its destination is to a remote site, other than the 
headquarters site 105, it will initially be treated as an 
ordinary Internet data packet transfer. The packet will pro- 
ceed from the endstation 202 over the LAN 205 to the 
routing device 240 which will encapsulate the data packet in 
accordance with the Internet Protocol, forming an outbound 
IP packet. On its way out of the site, the IP packet will pass 
through the associated VPN Unit for the site. The flowchart 
illustrated at FIG. 3 shows the functional operation of a VPN 
Unit for an outbound packet that is received thereby. The 
Transmit Packet procedure 300 begins when the outbound 
data packet is received at the VPN Unit at step 310. At 
decision box 320, it is determined whether or not the source 
and destination addresses for the data packet are both 
members of the same VPN group. This determination may 
be made with reference to lookup tables that are maintained 
by the VPN Units or reference to other memory mecha- 
nisms. This step may be thought of as member filtering for 
data packets being transmitted between the particular site 
and the VPN Unit which services it. If the source and 
destination address for the data packet are not both members 
of the same VPN group, then at step 330 the packet is 
forwarded to the Internet as ordinary Internet traffic from the 
site as though the VPN Unit were not involved. In which 
case, the procedure ends at step 335. In one alternative 
embodiment, it may be desirable to discard data traffic that 
is not destined between members of a VPN group rather than 
forwarding it as unsecure traffic. In another alternative 
embodiment, it may be desirable to provide the option to 
either pass or discard non-VPN-group data traffic. 

If, at decision box 320, the member filter, it is determined 
that both the source and destination addresses for the data 
packet are members of the same VPN group, then the data 
packet is processed at step 340 undergoing varioxis combi- 
nations of compression, encryption and authentication. The 
lookup tables maintained by the VPN Unit 250 and all of the 
VPN Units, in addition to identifying members of particular 
VPN groups, also identify whether or not data packets 
transferred between members of the particular VPN group 
are to be compressed and if so, what algorithm is to be used 
for compression. Many possible compression algorithms are 
well-known, but in one embodiment of the invention, LZW 
compression is implemented. The lookup table for the VPN 
group of which the source and destination addresses are 
members also identifies the particular encryption algorithm 
to be used for data packets traversing the Internet for that 
VPN group as well as the authentication and key manage- 
ment protocol information to be used thereby. As an alter- 
native to lookup tables, the VPN Unit may be programmed 
to always use the same algorithms for all VPN groups. 

The particular packet processing algorithms to be used for 
VPN traffic may vary, so long as the lookup tables in both 
the sending and receiving VPN Units identify the same 
compression, encryption and authentication rules and are 
capable of implementing and deimplementing them for 
members of the same group. It is to be understood that a 
single VPN Unit may serve multiple VPN groups and that 
particular addresses may be members of multiple groups. 
Thus, at step 340, when a packet is destined from one 
member of the VPN group to another, the packet is pro- 
cessed according to the compression, encryption and authen- 
tication rules identified in the VPN Unit tables for that 
particular VPN group. Then, at step 350, the processed 
packet is forwarded toward the destination address over the 
Internet. The procedure of the sending VPN Unit then ends 
at step 355. 
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The receiving VPN Unit reverses the above processes for 
VPN traffic as illustrated by the flowchart of FIG. 4. The 
Receive Packet procedure 400 begins at step 410 when an 
inbound data packet is received from the Internet at the 
receiving VPN Unit. At decision box 420, the inbound data 
packet is examined to determine if the source and destina- 
tion addresses of the data packet are both members of the 
same VPN group. It is assumed that the lookup tables 
maintained by all of the VPN Units are both consistent and 
coherent. If the inbound data packet is determined not to be 
VPN traffic, then the packet is passed through and forwarded 
to the receiving site as though it were normal Internet data 
traffic at step 430. In which case the process ends at step 435, 
In one alternative embodiment it may be desirable to discard 
incoming data traffic that is not from an identified member 
of a VPN group supported by the VPNU. 

For data packets that are determined to be VPN traffic at 
decision box 420, the VPN Unit will process the inbound 
packet to recover the original data packet as it was provided 
from the source endstation. The lookup table maintained by 
the receiving VPN Unit will identify the compression, 
encryption and authentication rules used for the VPN group 
and reconstruct the original IP packet in accordance with 
those rules at step 440. Then, the reconstructed packet will 
be delivered to the site of the destination address at 450 with 
the procedure ending at step 455. 

FIG. 5 fllustrates graphically the Ufe cycle of the data 
packet sent between two members of the same VPN group. 
The data packet originates from a source 500 and propagates 
from the sources site through its associated router to gen- 
crate IP data packet 510. The data packet 510 is not intended 
to illustrate all the fields associated with a complete IP data 
packet, but shows the relevant portions for this discussion 
which include the destination address, source address and 
the payload information of the packet. The data packet 510 
is then examined by the VPN Unit which determines 
whether the data packet is traffic between members of an 
identified VPN group. The VPN Unit 520 processes the 
packet in accordance with the packet processing procedures 
described above with respect to FIG. 3 with the resulting 
packet being illustrated as packet 530. Packet 530 still 
identifies the destination and source addresses of the data 
packet, but the remainder of the packet is encrypted, and 
optionally compressed. 

Following processing by the outbound VPN Unit, the data 
packet is propagated through the Internet to 550 with the 
destination and source information identifying to the asso- 
ciated routers of the Internet the path by which the packet 
should ultimately lake to reach its destination. The packet 
emerges from the Internet at the edge of the destination site 
as data packet 540 which is essentially identical to the data 
packet 530. The packet is "deprocessed" by the receiving 
VPN Unit 550 which restores the original packet into its 
form 560 for delivery to the ultimate destination through the 
receiving site's associated router at destination 570. 

As was described above, the present invention approach 
to virtual private networks supports not only optional com- 
pression of data packets, but encryption and authentication 
techniques as well. One emerging standard for key manage- 
ment in connection with Internet Protocol data transfers with 
authentication is referred to as simple key management for 
Internet Protocol (SKIP) which is described by U.S. Pat, No. 
5,588,060 assigned to Sun Microsystems, Inc. of Mountain 
View, Calif. Authenticated data transfers using SKIP support 
a mode of data transfer referred to as tunnel mode. The 
above described data transfer with respect to FIG. 5 iUus- 
trates a transport mode of operation in which the data and 
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source addresses are exposed as the data packet traverses the invention, the VPN Unit 700 may be disposed between a 

Internet. In tunnel mode, an added measure of security may site's local area network and its router, in which case the I/O 

be provided by encapsulating the entire data packet in controller 730 would be responsible for data packet trans- 

another packet which identifies the source and destination missions between the VPN Unit 700 and the router, while 

addresses only for the VPN Units. This conceals the ultimate 5 the I/O controller 740 would effectively be the VPN Unit's 

source and destination addresses in transit. interface to the local area network. In this alternative 

FIG. 6 illustrates the life cycle of a data packet being embodiment, data packet transmissions woxild probably 

propagated from a source 600 to a destination 670 utilizing have to be handled in accordance with the network protocol 

tunnel mode. In this mode of operation, the data packet 610 standard of the local area network rather than the public 

is processed by outbound VPN Unit 620 which generates a 10 network space IP transmissions as described above. In cither 

resulting packet 630. The resulting packet 630 encrypts and event, the general architecture for VPN Unit 700 illustrates 

compresses (optionally) not only the data pay load of the that the two I/O controllers 730 and 740 are coupled to 

packet, but the destination and source addresses of the communicate over the apparatus bus 710 through I/O control 

endstations as well. The encapsulated packet is then pro- logic 750. In accordance with this architecture, the I/O 

vided with an additional header that identifies that the source 15 control logic 750 is responsible for arbitrating access to the 

of the packet is the outboimd VPN Unit 620 and that the apparatus bus for the data packets coming in and going out, 

destination is the inbound VPN Unit 650. Thus, the packet and for assuring the necessary throughput for the data 

640 which emerges from the Internet is identical to the connections. 

packet 630 with respect to its source and address informa- As has been described, when a data packet is received at 

tion and encapsulated payload. The packet is decomposed by 20 the VPN Unit 700, whether outbound or inbound, a deter- 

the inbound VPN Unit 650 to reconstruct the original data mination is made by examining the data packet's header as 

packet at 660 for delivery to the destination 670. to whether or not both the source and destination addresses 

The overall architecture of the present invention is robust. represent members of the same VPN group. The determi- 

It allows end users the convenience of proprietary data nation with respect to one embodiment requires interroga- 

communications to take place over a public network space 25 tion of a look-up table, which maintains the identities of the 

such as the Internet. The architecture of the present inven- various VPN groups serviced by the VPN Unit 700, as well 

tion also allows a wide variety of compression, encryption as the group members and the various processing parameters 

and authentication technologies to be implemented, so long for data packets that are exchanged between group members, 

as the VPN Units at each end of the transaction support the In accordance with the general architecture of the VPN Unit 

associated protocols. The present invention is also capable 30 700, this interrogation may be handled by the CPU 705 with 

of working in concert with traditional Internet security reference to look-up tables that would be maintained in the 

mechanisms such as corporate firewalls. A firewall might memory apparatus 720. 

operate in series with the VPN Unit at a given site, or, For data packets that are to be processed as packets being 

intelligently be configured in a single box with the VPN Unit sent between members of a supported VPN group, it has 

to provide parallel firewall and VPN Unit security functions. 35 been described that compression and decompression func- 

Architccture for a Virtual Private Network Unit tions as well as encryption and decryption functions need to 

The above discussion relates to the functionality for be performed for such data. Thus, the VPN Unit 700 
implementing virtual private networks. There is now architecture includes a compression engine 760, coupled to 
described a hardware architecture and implementation for a communicate with the rest of the apparatus over the appa- 
virtual private network unit in accordance with one embodi- 40 ratus bus 710, and an encryption engine 770 similarly 
ment of the present invention. Referring now to FIG. 7 there coupled to the apparatus bus 710. For supporting functions 
is illustrated a general block diagram for a virtual private such as the various key management protocols described 
network unit 700. The general architecture of the VPN Unit above which result in the generation of packet encapsulation 
700 is essentially that of a specially tailored personal com- headers, processing may be carried out by the CPU 705 with 
puter (PC) apparatus architecture. The overall operation of 45 packets being assembled within the CPU 705 or at specified 
the VPN Unit 700 is driven by a central processing unit memory locations in the memory apparatus 720. 
(CPU) 705 which is coupled to communicate with the other Alternatively, logic may be incorporated in the VPN Unit 
components of the apparatus over a apparatus bus 710. In the 700 designed specifically for the support of such key man- 
ge ncral architecture illustrated for VPN Unit 700, the agement protocols or other packet processing operations, 
memory apparatus 720 is also illustrated as residing on the 50 There is finally shown in the VPN Unit 700 architecture 
apparatus bus 710. Those of ordinary skill in the art will of that optional I/O devices 780 may be interfaced to the VPN 
course recognize that various memory configurations may Unit 700 through I/O control logic 790. This may facilitate 
be implemented, some of which may include a dedicated management of the unit either by allowing direct keyboard 
memory bus for higher speed throughput to the memory access to control the processor, or provide a connection path 
apparatus 720. 55 for other communications devices which may need to com- 

The VPN Unit 700 is designed to be an intermediate municate with the VPN Unit 700. 

device between a site's local area network and the Internet Referring now to FIG. 8, there is illustrated a more 

or other public network space. Thus, the VPN Unit 700 is detailed block diagram for one implementation of a VPN 

illustrated as having an 1/0 controller 730 for coupling the Unit in accordance with one embodiment of the present 

VPN Unit 700 to the Internet or other public network space. 60 invention. In the implemented embodiment of VPN Unit 800 

Similarly, an I/O controller 740 is provided for coupling the an architecture is disclosed which is driven by micropro- 

VPN Unit 700 to the site's edge router. In accordance with cessor 805, a 100 MHz Intel 486 DX4. The apparatus bus for 

the above-described functional requirements, the VPN Unit this configuration is the VSIA bus 810 to which the other 

700 resides between the site's router and the Internet. In this components of the apparatus are coupled. The memory 

implementation, the I/O controller 740 is responsible for 65 apparatus in this case is supplied by several banks of fast 

data packet transmissions between the router for the site and dynamic random access memory (DRAM) 820. In accor- 

the VPN Unit 700. In an alternate embodiment of the present dance with this implemented embodiment, a PC chip set 
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implementation from the Opti Corporation is provided at 
825 for controlling the overall operation of the apparatus. 
The Opti chip set, as well as providing a apparatus controller 
funtionality for the 486 DX4 microprocessor, may also be 
utilized to provide an interface to an optional ISA bus 828 S 
to which other peripherals may be coupled to the apparatus. 

In the implemented VPN Unit 800, the I/O connections to 
the public network space 830 arc provided by a series of 
multi-protocol transceivers with a DB-25 connector. 
Similarly, the connections for the private network side of the lO 
unit are provided through additional multi-protocol trans- 
ceivers and an additional DB-25 connector. The I/O con- 
nections to the public and private networks are handled 
through a dual-port SCC 845 which includes a plurality of 
input and output buffers for transmission and receipt of data 15 
packets to the VPN Unit 800. The data packet I/O controller 
is coupled to the VSIA bus 810 through FPGA Control and 
Glue Logic 850. 

The compression engine for the implemented VPN Unit 
800 is provided by an implementation of the STAC com- 20 
pression algorithm using the STAC chip 9710 compression 
engine 860, which is coupled to a dedicated bank of SRAM 
865 to support its processing. Finally, in the implemented 
embodiment the encryption engine is provided by a DES 
engine 870, which may be implemented in either an off- 25 
the-shelf special integrated circuit configuration or one 
designed to operate in accordance with the operation of the 
VPN Unit 800. In accordance with an alternative embodi- 
ment of the present invention, it is conceivable that the 
compression engine and encryption engine could be handled 30 
by software routines running on the microprocessor 805 or 
other general-purpose processing logic. Other alternative 
embodiments may use later generations of microprocessors 
which operate at higher speeds and may require implemen- 
tation of a different apparatus bus such as the emerging PCI 35 
bus standard. Those of ordinary skill in the art will recognize 
alternative and various embodiments which may be 
designed to suit a particular purpose. 

There has thus been described a protocol and architecture 
for implementing virtual private networks for using a public 40 
network space for secure private network data communica- 
tions. Although the present invention has been described 
with respect to certain exemplary and implemented 
embodiments, it should be understood that those of ordinary 
skill in the art will readily appreciate various alternatives to 45 
the present invention. Accordingly, the spirit and scope of 
the present invention should be measured by the terms of the 
claims which follow. 

What is claimed is: 

1. An apparatus for providing secured data communica- 50 
tions between members of a virtual private network group 
comprising: 

input/output (I/O) circuitry for receiving and transmitting 
data packets between the members of said virtual 
private network group; 55 

a system bus in communication with said 1/0 circuitry for 
conveying data between components of said system; 

a compression engine in communication with said system 
bus for compressing outbound data packets and dccom- 
pressing inbound data packets; 

an encryption engine in communication with said system 
bus for encrypting outbound data packets and decrypt- 
ing inbound data packets; 

a central processing unit (CPU) in communication with 65 
said system bus for controlling the processing of data 
packets by said system, said CPU for determining 
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which data packets are being sent between members of 
said virtual private network and for determining the 
data flow for said data packets in accordance with 
predetermined parameters for said virtual private 
network, wherein when said data packets are deter- 
mined to not being sent between members of said 
virtual private network, the data flow for said data 
packets will be treated as ordinary internet trafiEc, and 
will not be processed by said compression engine and 
said encryption engine; and 
a memory device in communication with said system bus 
for maintaining a list of members of said virtual private 
network and for storing said predetermined parameters. 

2. The apparatus of claim 1 wherein said I/O circuitry 
comprises: 

a private 1/0 port for coupling said apparatus to a site*s 
private network; 

a public I/O port for coupling said apparatus to a public 
network space; and 

I/O control logic in communication with said system bus 
and coupled to said private and public I/O ports for 
controlling data packet flow between said apparatus 
and said members of said virtual private network. 

3. The apparatus of claim 2 wherein said CPU generates 
encapsulation headers for outbound data packets in accor- 
dance with a key management protocol. 

4. The apparatus of claim 3 wherein said key management 
protocol comprises the Simple Key Management for Internet 
Protocol (SKIP). 

5. The apparatus of claim 2 wherein said encryption 
engine comprises an appHcation specific integrated circuit 
for performing DES encryption. 

6. The apparatus of claim 2 wherein said encryption 
engine comprises an application specific integrated circuit 
for performing DES encryption or triple-DES encryption in 
accordance with said predetermined parameters. 

7. The apparatus of claim 1 wherein said compression 
engine comprises an integrated circuit for performing LZW 
compression. 

8. The apparatus of claim 1 wherein said memory com- 
prises lookup tables for identifying all the virtual private 
network groups supported by said apparatus and the mem- 
bers of said group wherein said members are each identified 
by a network address and wherein a single network address 
may identify a member of multiple groups. 

9. An apparatus for securely exchanging data packets 
between members of a virtual private network group com- 
prising: 

a first computer at a first site, said first computer having 
a first network address; 

a first router associated with said first site for routing data 
packets originating from said first computer over a 
public network; 

a first virtual private network unit disposed between said 
router and said public network, said first virtual public 
network unit for identifying virtual private network 
group data traffic and for securing said data traffic by 
manipulating said data traffic according to packet 
manipulation rules maintained by said virtual private 
network unit; 

a second router associated with a second site for coupling 
said second site to the public network; 

a second virtual private network unit disposed between 
said second router and the public network for inter- 
cepting network traffic destined for said second site, 
said second virtual public network unit for detecting 
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virtual private network group traffic and for recovering 
original packet data; and 

a second computer at said second site, said second com- 
puter having a second network address for receiving 
said packet data, 

wherein said first and second virtual private network units 
respectively comprise: 

input/output (1/0) circuitry for receiving and transmit- 
ting data packets between the members of said 
virtual private network group; 

a system bus in communication with said I/O circuitry 
for conveying data between components of said 
apparatus; 

a compression engine in communication with said 
system bus for compressing outbound data packets 
and decompressing inbound data packets; 
an encryption engine in communication with said sys- 
tem bus for encrypting outbound data packets and 
decrypting inbound data packets; 
a central processing unit (CPU) in communication with 
said system bus for controlling the processing of data 
packets by said apparatus, said CPU for determining 
which data packets are being sent between members 
of said virtual private network and for determining 
the data flow for said data packets in accordance with 
predetermined parameters for said virtual private 
network, wherein when said data packets are deter- 
mined to not being sent between members of said 
virtual private network, the data flow for said data 
packets will be treated as ordinary internet traffic, 
and win not be processed by said compression 
engine and said encryption engine; and 
a memory device in communication with said system bus 
for maintaining a list of members of said virtual net- 
work and for storing said predetermined parameters. 
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10. The system of claim 9 wherein said I/O circuitry 
comprises: 

a private I/O port for coupling said apparatus to a site's 
private network; 

a public I/O port for coupling said apparatus to a public 
network space; and 

I/O control logic in communication with said system bus 
and coupled to said private and public I/O ports for 
controlling data packet flow between said apparatus 
and said members of said virtual private network. 

11. The system of claim 10 wherein said CPU generates 
encapsulation headers for outbound data packets in accor- 
dance with a key management protocol, 

12. The system of claim 11 wherein said key management 
protocol comprises the Simple Key Management for Internet 
Protocol (SKIP). 

13. The system of claim 10 wherein said encryption 
engine comprises an application specific integrated circuit 
for performing DES encryption. 

14. The system of claim 10 wherein said encryption 
engine comprises an application specific integrated circuit 
for performing DES encryption or triple-DES encryption in 
accordance with said predetermined parameters. 

15. The system of claim 10 wherein said compression 
engine comprises an integrated circuit for performing LZW 
compression, 

16. A system of claim 10 wherein said memory comprises 
lookup tables for identifying aU the virtual private network 
groups supported by said apparatus and the members of said 
group wherein said members are each identified by a net- 
work address and wherein a single network address may 
identify a member of multiple groups. 
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